Colleagues In Cuffs: When Employees Steal Patient Records

The Queens County DA recently arrested two Jamaica Hospital employees for stealing patient data, a lucrative crime occurring at hospitals across the nation.

The Queens, N.Y., district attorney recently charged two employees of Jamaica Hospital Medical Center with illegally accessing emergency room patients' medical records and personal identification information, and selling that data to individuals who then solicited services such as outpatient care or legal assistance -- sometimes while patients were still in the ER.

“These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records," said DA Richard Brown, in a statement.

Defendants Maritza Amador, 44, and Dache Prawl, 45, were registrars at the Queens, N.Y., hospital's ER. Allegedly the duo illegally accessed personal information, including Social Security numbers and medical data, and passed that information to people who falsely represented themselves as representatives of the hospital to patients. These individuals offered transportation to outpatient therapy, attorney services related to car accident injuries, and follow-up medical treatment, the DA charges. They were released without bail and their next court date is May 20, the Queens County DA's office told InformationWeek.

The Health Insurance Portability and Accountability Act (HIPAA) and the regulations that have grown up around it set high standards. Yet this is not the first -- and, no doubt, won't be the last -- time employees allegedly stole patient data.

In May 2013, a physician and office worker reportedly quit Pensacola, Fla.-based Sight and Sun Eyeworks without notice; they allegedly took with them 9,000 patient records and Social Security numbers, which they used to reschedule patients' appointments at their new practice, local media reported.

In San Francisco, a city employee allegedly sent the confidential data of about 2,500 Medi-Cal recipients to her home computer in an effort to combat her dismissal for "poor performance." The worker's attorneys and union representatives also saw the data, which included patient information and Social Security numbers. In another case, a former benefits clerk for United Healthcare Workers West was sentenced to 12 years and four months in prison for stealing the data of about 30,000 union employees of Kaiser Permanente in California. Crooks used the data to buy merchandise valued at more than $1 million, according to a published report.

A Miami respiratory therapist reportedly sold patients' personal information for up to $150 per person; buyers then used the data to illegally file and claim patients' tax returns, Florida media said. Tallahassee Memorial Hospital offered identity protection services to more than 100 patients after discovering a hospital employee illegally accessed data for a fraudulent tax scheme.

Despite many instances of malicious breaches, 75% of healthcare organizations believe employee negligence is their biggest security concern, according to the Fourth Annual Ponemon Report on Patient Privacy and Data Security. In 2013, 12% of organizations reported a malicious insider breached patient security, compared with 14% in both 2012 and 2011, the research firm said. The average cost of a data breach last year? Almost $2 million, down slightly from the prior year, Ponemon estimated.

Healthcare organizations will spend about $70 billion on security in 2017, a whopping 75% increase from $40 billion in 2012, according to the Boyd Company. Yet protecting data from greedy, careless, or disgruntled employees is, in some ways, more challenging than safeguarding records from external threats.

IT departments must ensure users only access records necessary for their roles and responsibilities, promptly changing authorizations when an employee's job changes and cutting off all access when an employee leaves the organization.

In addition, managers, colleagues, and human resource departments -- as well as monitoring tools and alarms -- must put extra focus on unhappy employees. A mindboggling 85% of employees are not satisfied with their jobs and only 13% are actively engaged, according to Gallup's "State of the Global Workplace" report. Of those dissatisfied employees, 24% are "actively disengaged," meaning they proactively undermine colleagues' work and, perhaps, help themselves to patient data to pad their bank accounts or wreak havoc on their employer.

Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure. To secure patient data, IT must ensure information is safe from everyone, even colleagues in the department across the hall.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Thinkreport today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Glad you found the IS Decisions Report usefull. The research suggests many organizations are complacent about the issue of internal security - a prime example as you point out with regards to former employee's log-on rights. Why healthcare suffers double the average amount of internal security breaches? The reason my be connected to the proliferation of password sharing in healthcare. The good news is that there is a lot that IT departments can do to mitigate the risks - including passwords sharing. It's a technology issue as well as a cultural one, and can be addressed from both of these angles.

As part of security awareness and training that I conduct for organizations - such as for PCI DSS, HIPAA, and other regulatory compliance frameworks, I always emphasize the criminal and legal aspect of stealing data. It seems to make people sit up in there chair and pay attention. The accountability aspect of this is so important, because if employees know the true ramifications of their actions, they probably will not undertake such malicious tactics. I use myinformationsecuritypolicy.com for security awareness materials, if you are curious.

Thanks for sharing this IS Decisions report, @anon. Wish I'd run across it during the course of my research! Why, do you think, healthcare experiences this high rate of internal security breaches? I was also surprised to read the report's findings regarding culture vs. technology. A combination of the two -- hiring, ongoing training and education, plus technology tools -- are needed in order to combat internal threats. It's always amazing, for example, to discover how many organizations (across industries) don't deactive a former employee's log-on rights as soon as they leave, whether voluntarily or involuntarily. That's one small example.

Our findings show organisations in the healthcare sector are experiencing double the average amount of internal security breaches, in comparison to all industries. The findings are based on research revealed in our recent report 'The Insider Threat Security Manifesto'.

The report also highlighted how the vast majority of IT professionals consider insider threats to be a purely cultural issue, and are not aware that technology can help them address internal security issues,

That's very interesting, @GoSmartyJones. To be honest, that's an aspect I had not considered -- educating employees about the penalties they will face if they do leak or steal data. It's definitely a natural fit with other best practices: Teaching new and existing employees how to safeguard information, both technologically and from social engineering, and the importance of maintaining secure patient records, emails, images, etc. I wonder, do you have any examples you can please share that demonstrate how merely taking that extra step and telling healthcare workers about the fines and jail time involved led to decreased breaches?

This step is something healthcare organizations can do almost immediately. Sadly, there's a ton of data freely available on fines and jail sentences healthcare employees have incurred because they've stolen or leaded patient data. And no doubt government organizations will be glad to share other info to encourage medical pros to be more proactive in their security efforts. Love this idea!

Once again, it's internal threats that are outweighing the external threats and causing monumental problems for companies. Doing the basic due diligence - background checks, credit checks, employment references, drug testing - all help, no question about it. But what's really imperative is creating the notion of accountability within a company. More specific, a sanctions policy and supporting procedures that clearly outlines and details the legal and criminal penalties faced by employees and other workforce members who undertake such malicious activities. You would be surprised at the number of employees who would NOT undertake such actions if they knew that jail time, fines, and other significant legal troubles lay ahead.

That is a great point, @Gary. I believe I mentioned errors in the article; it's very easy to make a mistake, one that ends up being extremely costly to your organization, with absolutely NO malice intended. For one thing, orgs should make sure people removing data or destroying drives understand why it's so important to do it correctly. Knowledge brings power; understanding why you each step is important is more likely to ensure the vast majority of employees follow procedures. If they don't know, then they may be more likely to skip a step or two. QA is also critical. Someone with some degree of authority should check to make certain the job is done right.

While at Internet Evolution I wrote a horrifying story about employee bullying that centered on a top network pro who bullied a junior network administrator. As an IT manager looked into the bullying, he discovered the bully was also reading executives' mail, stealing documents and sharing data with union reps, and doing all sorts of other nefarious deeds that damaged the corporation. Although there had been a suspicion that someone had been reading email, this guy was never a suspect because he'd seemed so dedicated to the job, had been there a long time, etc. So yes, it's very difficult to figure out who really is unhappy if they want to hide the fact from management and colleagues.

Studies have shown money isn't always the most important part of keeping employees happy and engaged. That said, people should (IMHO) earn a livable wage, especially when they're in a career that's involved training and education.

Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.